cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2515
Views
0
Helpful
3
Replies

Traffic from within the same subnet hitting my GW firewall - HELP!

I have a cisco 5505 HA pair connected to the 10.1.0.0/16 subnet

The LAN IP is 10.1.1.5 and the standby is 10.1.1.254.

I am looking at the logging and can see traffic going from 10.1.0.0/24 address to OTHER 10.1.0.0/24 adddresses.

If I tick the "Enable traffic between two or more hosts connected to the same interface" and click apply the logs seems to be allowing the traffic. However I have no idea why the traffic should be be TOUCHING the firewall.

Surely the switches in the middle (Cisco 3750 switches) would forward ARP requests and so forth and learn that destination MAC addresses for the devices on the same network (even though it is not aware of L3) will not be out the port that leads to the firewall.

This is the second time I have installed an HA pair at a site and find traffic between devices on the same network hitting the firewall.

Is there some bizarre qwerk where an ASA will reply to ARP requests or something?

I have checked all PCs and they are on the correct subnet with the correct subnet masks.

PLease help. This is driving me insane and goes against eveything I understand about networking

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

ASA firewall are by default set to reply to ARP request even if they dont own the IP address. I mean have it on some local interface or even a NAT configuration.

So the only thing that I can think of at the monent is that you have Proxy ARP enabled on the interface of the ASA where you are seeing the traffic

Proxy ARP can be disabled with

sysopt noproxyarp

Here is the Command Reference section on this command

http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1572088

Hope this helps

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

ASA firewall are by default set to reply to ARP request even if they dont own the IP address. I mean have it on some local interface or even a NAT configuration.

So the only thing that I can think of at the monent is that you have Proxy ARP enabled on the interface of the ASA where you are seeing the traffic

Proxy ARP can be disabled with

sysopt noproxyarp

Here is the Command Reference section on this command

http://www.cisco.com/en/US/docs/security/asa/command-reference/s21.html#wp1572088

Hope this helps

- Jouni

Thank you sooo much. That's done it.

That's certainly a default behaviour I've never seen before. Very strange.

I just got CCNA Security and brought the CCNP Firewall book a couple of weeks ago. Better hurry up and start reading

ASA proxy ARP   is only triggered for NAT global addresses and VPN client addresses. Check your config which one causes misdirecting your traffic. It is a common mistake to forget no-proxy-arp from identity NAT statements.

Review Cisco Networking for a $25 gift card